An attacker could leverage this vulnerability to create a sub-directory within the affected application that could contain arbitrary files, which could lead to information disclosure. ColdFusion versions Update 15 (and later) and Update 5 (and later) are not vulnerable to this issue at the time of publishing.


Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. ColdFusion versions Update 15 (and later) and Update 5 (and later) are not vulnerable to this issue at the time of publishing. Adobe ColdFusion versions prior to Update 11 (and earlier) are also affected by one or more XSS vulnerabilities. These issues could potentially be exploited by attackers to inject arbitrary web script into your application that could be used to steal data or cause a denial of service. Update 14 and earlier are not vulnerable to these issues at the time of publishing. Adobe ColdFusion versions prior to Update 11 (and earlier) are also affected by one or more XSS vulnerabilities. These issues could potentially be exploited by attackers to inject arbitrary web script into your application that could be used to steal data or cause a denial of service. Update 14 and earlier are not vulnerable to these issues at the time of publishing

What is the most recent version of ColdFusion?

ColdFusion versions Update 15 (and later) and Update 5 (and later) are not vulnerable to this issue at the time of publishing. ColdFusion versions prior to Update 11 (and earlier) are also affected by one or more XSS vulnerabilities. These issues could potentially be exploited by attackers to inject arbitrary web script into your application that could be used to steal data or cause a denial of service. Update 14 and earlier are not vulnerable to these issues at the time of publishing.

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC

References